Digital Forensics in Employee Wrongdoing Cases

Lars Daniel

By Lars Daniel

If data can get in, then data can get out. This is the reason we are seeing so many issues lately related to cyber breaches and personal health, financial and identifying information being lost by major entities around the world. The level of damages incurred from these incidents is almost always a matter of how prepared and secure an organization is. Even with the best security, the ethos has changed. No matter if the organization is public or private, small or large, it is understood that with data breaches by malicious actors, it is not a matter of if a breach will happen, but when.

This is also the case with employee wrongdoing. As with cybersecurity, if data can get in, then data can get out. We are well past the days of BYOD being the only feasible method of malicious data extraction out of an organization. In the thousands of cases we have worked on, examples of organizations allowing employees to use their devices is still relatively common. However, if this is not allowed by an organization and IT departments have safeguards against any foreign device being plugged into a computer or server at the company, there are still a plethora of ways data can be exfiltrated from an organization.

Confidential customer lists, proprietary information and executive strategy documents are now being transferred out of an organization maliciously by employees, or former employees, using filesharing applications, cloud-based services, messaging applications, videos taken of the computer screen directly from cell phones and personal email accounts.

Every time an application introduces methods to transfer files using a computer, cell phone or tablet, they increase their potential customer base. Subsequently, the danger of data theft by an employee is greater than ever, if only because the means to do so is so easily accessible and requires such a low level of technical sophistication.

Examples abound from the cases we have worked. We’ve seen thousands of emails sent from work email accounts to secret personal email accounts, and even sensitive company data transferred via messaging application by a disgruntled employee to the cell phones of their children to obfuscate the activity.

We’ve seen employees deploy remote access capabilities to computers after their termination date so they can go in and harvest the data they want after walking out of the building, which, believe it or not, is relatively simple even for a technology novice with modern software applications.

All of the aforementioned methods are at the fingertips of a non-sophisticated technology user. The ways a technocrat can nefariously extract data are so convoluted and multiplicious that they are truly limited only by ability and imagination. We have seen employees create backups of their entire computer in proprietary soft- ware formats so that they are essentially hidden from non-forensic review, and then subsequently delete all of the sensitive information from their machine so it appears “clean”. This computer would then look as if that employee can walk right out the door with it on their last day with no concerns by the company; that is until they start seeing their customers being solicited and poached.

Here we come full circle. In many cyber breaches, an organization that is having sensitive data stolen by hackers usually doesn’t know it is occurring until weeks or months after the initial breach occurred. The same is true in employee wrongdoing cases. An employee has stolen data and the organization doesn’t know until weeks or months have passed. The damage is already done and hat employee is at their new job opportunistically wielding their previous employer’s data.

The passage of time harms data. For example, let’s play out a common scenario. The computer used to steal data by a previous employee has been given to a new hire. Every moment that computer is in operation it is overwriting unallocated space, often called “deleted space” with new data, truly deleting the forensic artifacts and evidence of wrongdoing that lived there. Without this evidence, the chances of successful litigation are compromised.

Truly, this is a too common scenario that we see. For an organization, it is in their best interest to preserve the computers, cell phones and other digital devices. This could mean placing those items into secure storage and leaving them untouched for a period of time. Or preferably, forensically imaged so that these devices can be verified in accordance with forensic best practices. This is especially helpful if litigation ensues and expert testimony may be required. Another benefit is that the devices can then be wiped and put back into circulation.

Never underestimate the human imagination. Even with the most elite of internal information technology experts on staff, when there is a will, there is a way.


Lars Daniel is a digital forensics examiner with Guardian Digital Forensics. He holds eight certifications in cell phone forensics, computer forensics and telecommunications. He has testified as an expert over 25 times in state and federal court, and is the author of two books, “Digital Forensics for Legal Professionals” and “Digital Forensics Trial Graphics.” He teaches dozens of CLE classes across the United States every year. His curriculum vitae, references, and testimony experience are available upon request. Contact him at (919) 868-6291, Lars@guardiandf.com or www.guardiandf.com.